- There is so many themes/plugins for Wordpress available from 3rd party developers, and people usually don't audit them before installing them. Since the entry barrier for PHP is very low, a lot of those 3rd party developers have no/poor IT security knowledge
I think one of the most possible scenario is where a Wordpress setup is configured with a plugin/theme which allows anonymous uploads.
Basicly, you
- Need to make sure unauthorized/anonymous uploads are not allowed
- Move uploaded files out of the web root directory
- Verify the content to make sure only what you expect gets uploaded and saved
proof of concept :
"Please note, this picture is just for educational purposes, every attempt to illegal hack intro third party system(s), you might be punished in accordance your country national law"
Download link :
Posts
